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Abstract 

Virtual organizations are dynamic, inter-organizational collaborations that involve systems and services 
belonging to different security domains. Several solutions have been proposed to guarantee the enforce- 
ment of the access control policies protecting the information exchanged in a distributed system, but none 
of them addresses the dynamicity characterizing virtual organizations. In this paper we propose a dynamic 
hiearchical attribute-based encryption (D-HABE) scheme that allows the institutions in a virtual organiza- 
tion to encrypt information according to an attribute-based policy in such a way that only users with the 
appropriate attributes can decrypt it. In addition, we introduce a key management scheme that determines 
which user is entitled to receive which attribute key from which domain authority. 



1 Introduction 

The last decade has been characterized by the rise of a new operational paradigm where distributed systems 
and services collaborate to achieve a common goal. These collaborations, also known as virtual organiza- 
tions 1121 . often consist of systems that belong to different security domains governed by different authorities, 
and are mostly dynamic, with systems joining and leaving the virtual organization on the fly. 

While offering a high degree of operational flexibility and enabling new business models, the virtual or- 
ganization paradigm has a strong impact on information security. In fact, parties in a virtual organization may 
be required to share a large amount of information for the achievement of common goals. This information, 
however, might be sensitive and should only be accessed by authorized users and institutions. The access to 
sensitive information is usually regulated by access control policies, which specify which users can access 
which information. If the information is confined within a single, trusted system, policy enforcement can be 
achieved using traditional enforcement mechanisms GOl . However, when information needs to be disclosed 
across different security domains, guaranteeing policy enforcement becomes more challenging. 

We identify two main existing approaches to the problem of distributed policy enforcement: "a pos- 
teriori" solutions and cryptographic techniques. A posteriori solutions (e.g., [6Q address the problem by 
verifying whether users' actions comply with access control policies. Typically, this is achieved by means 
of logging mechanisms that record every action of the users of a system, and auditing authorities trusted 
by all the systems in the virtual organization which perform the analysis of these logs. The realization of 
such an infrastructure, however, is complicated by the dynamicity and the (often) short-lived nature of virtual 
organizations. In addition, rather than enforcing access control policies, a posteriori solutions only allow to 
detect their infringement. When the infringement involves information that may harm individuals (e.g., a list 
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of HIV patients) or compromise the success of a virtual organization (e.g., trade secrets), this solution is not 
satisfactory. 

On the other hand, cryptographic techniques enable the distributed enforcement of access control poli- 
cies. In particular, attribute-based encryption (ABE) |[T9l enables encryption of sensitive information accord- 
ing to an attribute-based policy in such a way that only users with certain attributes (e.g., roles) can access 
the information. In ABE, attributes are certified by key (or domain) authorities (e.g., hospitals) which release 
to their users an attribute (decryption) key for each attribute they possess (e.g., their role within the hospi- 
tal). Besides having different roles, however, the users and institutions involved in a virtual organization are 
frequently organized in a hierarchical structure, which reflects the "chain of command" within the virtual 
organization. Hierarchical ABE (HABE) lfT5ll23ll enhances ABE by reflecting the delegation mechanisms 
occurring in hierarchical domains, by allowing a domain authority to delegate its right to issue attribute keys 
to another (sub-)domain authority. 

When applied to virtual organizations, the main limitation of existing HABE schemes is that they require 
binding the attributes in an access control policy to a specific domain authority at encryption time. Conse- 
quently, users of institutions that join a virtual organization at a later stage are not be able to access previously 
encrypted information, even though they possess the appropriate attributes. Information needs thus to be re- 
encrypted every time a new institution joins the virtual organization. Furthermore, HABE schemes implicitly 
assume the existence of a mechanism that allows domain authorities to determine the attribute keys that their 
users are entitled to receive. In some cases this can be achieved, for instance, by simply issuing the keys 
according to the institution's user-role assignments. In other circumstances, however, the attributes of a user 
may depend on other attributes or conditions determined by third parties. As a result, current HABE schemes 
do not address the dynamics characterizing virtual organizations. 

In this paper we propose a solution to the problem of distributed policy enforcement in virtual organiza- 
tions, which combines cryptographic techniques with trust management [3, 7|. In particular, we define: 

• A dynamic HABE (D-HABE) scheme that does not require the encryptor to bind the attributes in an 
access control policy to a specific domain authority at encryption time. This enables users of domain 
authorities that join a virtual organization at a later stage to decrypt the information that they are 
entitled to access, without the need of re-encrypting it. 

• A key management scheme that determines which user is entitled to receive which attribute key from 
which domain authority. 

The proposed D-HABE scheme is an extension of the CP-ABE scheme proposed by Bethencourt et al. 
0. Although subsequent CP- ABE schemes (e.g. E4l l9l fT4l ) have stronger security properties, as they are 
proved in the standard model, the original Bethencourt et al.'s scheme, proved in generic group model and 
thus enjoying weaker security, is more efficient and expressive, since an access predicate can be expressed 
in terms of any monotonic formula over attributes. As in J2), we trade stronger security for efficiency and 
expressiveness and provide the proof in the generic group model, leaving the proof in the standard model for 
future work. One point worth mentioning is that, in the proposed scheme, the secret key components related 
to the set of attributes u are \lu\ + 1, compared to 2 • \u\ in Bethencourt et al.'s scheme. 

The paper is organized as follows. Section [2] discusses related work. Section [3] presents an example 
of a virtual organization in the health-care domain. Sections |4] and [5] introduce the D-HABE scheme, and 
Section [6] proves its security. Then, Section [7] shows how access control policies can be mapped into D- 
HABE policies, and how to determine which users should receive which keys. Finally, Section|8]concludes 
the paper and provides directions for future work. 

2 Related Work 

The concept of identity-based encryption (IBE) was first introduced by Shamir ETI . In IBE schemes, the 
public (i.e., encryption) key can be any string, e.g., a user name or email address. The first practical IBE 
scheme based on bilinear pairing on elliptic curves was proposed by Boneh and Franklin [5 1. In this scheme, 
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a central domain authority issues private (i.e., decryption) keys to the users based on their identity, using a 
central master secret key. 

Later, several alternative IBE schemes have been proposed. Hierarchical IBE (HIBE) schemes EJIU, for 
instance, are generalizations of the IBE scheme that reflect an organizational hierarchy. In HIBE, a domain 
authority at a certain level in the hierarchy can issue secret keys only to users and domain authorities at lower 
levels in the hierarchy. The first HIBE scheme was proposed by Gentry and Silverberg J8j. The security 
of their scheme is based on the Bilinear Diffie-Hellman (BDH) assumption in the random oracle model. 
In 1 8], the size of ciphertexts and private keys is directly proportional to the level of a domain authority in 
the hierarchy. Boneh et al. [4| proposed an alternative HIBE scheme, where the size of the ciphertext is 
independent of the hierarchy levels, and the size of the private key is inversely proportional to the level of a 
domain authority. However, contrarily to [8 1, the HIBE scheme in H requires the depth of the hierarchy to 
be fixed in the setup phase of the scheme. The scheme in |0) is selective-ID secure in the standard model and 
fully secure in the random oracle model. 

The concept of attribute-based encryption (ABE) was first introduced by Sahai and Waters |[T9l . though 
it was called fuzzy identity-based encryption by the authors. In their scheme, an identity is represented by 
a set of attributes. The ABE scheme uses an attribute space ft and a function F(u>) (called a decryption 
policy) over a set of attributes ui e ft. A user with an attribute set u/ is able to decrypt some encrypted 
information if F(lu') — 1, i.e., if <J satisfies the policy. In ciphertext-policy attribute-based encryption (CP- 
ABE) schemes J2][T8), function F is associated with the encryption of a message M and a user's secret key 
is associated with a set of attributes to' € Q. In key-policy attribute-based encryption (KP-ABE) J9] the idea 
is reversed, i.e., function F is associated with a user's secret key, while a message M to be encrypted is 
associated with an attribute set u' 6 ft. 

A number of variants of the ABE scheme have been proposed since its introduction. They range from 
extending its functionality to proposing schemes with stronger security proofs. For example, the scheme 
in lfT3l enables a semi-trusted entity to update a decryption policy F(u>) to a decryption policy F(lj') using a 
re-encryption key provided by the initial encryptor, without allowing the semi -trusted entity to decrypt the in- 
formation. Recently, Green et al. iflOl proposed a new ABE scheme which largely reduces the computational 
overhead associated with ABE schemes. This is enabled by outsourcing the decryption to a semi-trusted en- 
tity by means of a re-encryption key, similarly to lfl3l . The semi-trusted entity can then use the re-encryption 
key to transform the ciphertext into a constant size El-Gamal style ciphertext. Similarly, in order to improve 
the performance of ABE schemes, Jin et al. |15| propose an ABE scheme that treats attribute hierarchies 
similarly to traditional role-based access control. In this scheme, the private key for an attribute at a certain 
level in the hierarchy can be used to decrypt a ciphertext associated with attributes at lower levels in the 
hierarchy. If the attribute hierarchy is not defined, then the proposed construction can be viewed as a normal 
ABE scheme. 

The work that is closest to the solution proposed in this paper is the one of Wang et al. (23], which 
propose a hierarchical attribute-based encryption (HABE) scheme based on the Gentry and Silverberg's 
HIBE scheme Qjj. In |23l . however, attributes are bound to a specific domain authority during encryption, 
and hence users with attribute keys issued by different domain authorities are not able to access the encrypted 
information. The scheme is therefore not suitable for virtual organizations, which are the focus of this 
paper. The next section presents an example of virtual organization in the health-care domain and shows the 
limitations of the existing (H)ABE schemes in the proposed scenario. 

3 Motivating Example: EHR Infrastructure 

In the last years the number of available healthcare providers and healthcare services has increased consid- 
erably: next to hospitals, pharmacies and general practitioners (GPs), specialized private clinics and labo- 
ratories as well as nursing homes and eHealth services are now available to the citizens. This, combined 
with digitalization of medical information and increased mobility of people for both business and leisure, 
calls for integration and sharing of medical information between different healthcare institutions to guaran- 
tee a prompt and adequate treatment of patients. To address this need, nationwide Electronic Health Record 
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Figure 1 : Organizational Structure of Institutions Involved in the EHR Infrastructure 



(EHR) IT infrastructures are being developed in several countries. This section presents a scenario based on 
the Dutch EHR infrastructure fTTll . 

The Dutch EHR infrastructure has been designed by Nictiz, the national IT institute for healthcare, in 
consultation with the Ministry of Health, Welfare and Sport (VWS). It consists of a number of protocols 
and applications that support the provision of care, medical research and care logistics services by allow- 
ing different healthcare providers to share patient medical information. In addition, patients can use EHR 
applications to get assistance with their medication, and to submit the results of self-monitoring activities. 
Currently, the EHR infrastructure connects several GP practices, hospitals, and pharmacies. 

The institutions involved in the EHR infrastructure are organized in a hierarchical structure (Fig. [TJ. At 
the top of the hierarchy there is the VWS, which certifies all the healthcare providers in the Netherlands, 
namely hospitals, GP practices, clinics, and pharmacies. Each of these healthcare institutions employs a 
number of doctors and specialized auxiliary personnel (e.g., first-aiders, pharmacists). Each institution (or 
domain authority) in the hierarchy belongs to a certain domain authority class. For instance, domain author- 
ities h%, . .. ,h n belong to the hospital class. Similarly, users belong to a domain authority. As a result, the 
hierarchy in Fig.[T]has two levels: the root authority VWS at level 0, and the domain authorities of different 
classes and their users at level 1 . 

The first information accessible nationwide within the EHR infrastructure consists of dispensed medical 
information and a patient's summary for GPs. Patients' information is not stored in a centralized database: 
healthcare providers need to request relevant information from other healthcare providers. Since medical 
information is highly sensitive [11], high demands are placed on the secure exchange of information within 
the EHR infrastructure. Accordingly, health records are protected by access control policies that specify 
which users may access (what parts of) them. Such policies are typically expressed in terms of attributes 
(e.g., roles) that a user need to possess in order to access the requested information J3j [7J . The following 
is an example of attribute-based policy protecting John's EHR, based on the organizational structure in Fig.[T] 

John's health record may be accessed by: (a) the doctor of GP practice gp 2 (John's family doctor); (b) 
any hospital doctor who has a treatment relationship with John; (c) any clinic doctor who has a treatment 
relationship with John; and (d) first-aiders of any hospital recognized by VWS. 

Here, conditions (a), (b), and (c) are intended to restrict access to doctors treating John, and (d) covers 
emergency situations in which John may need immediate aid. In a hierarchical organization such as the one 
presented in this section, attribute-based policies specify what users in the hierarchy are authorized to access 
certain information. For instance, the circled users at the bottom of Fig.[T]are the users authorized to access 



4 



Figure 2: Access tree for the example access policy in Section|3] 



John's EHR according to conditions (a) and (d). The users authorized to access John's EHR by conditions 
(b) and (c) are not shown in Fig. [T] since they may vary with time depending on the doctors' treatment 
relationship with John. 

In existing ABE schemes (e.g., ||2] [9]), each institution in the EHR infrastructure would represent an 
independent domain authority. Consequently, the information encrypted by an institution could be decrypted 
only by users having attribute keys issued by that institution. For example, if John's EHR was encrypted by 
GP practice gp 2 according to the policy above, the record would only be accessible by gp2$ doctors. On 
the contrary, the use of HABE ll23l [151 would also allow the encryption of data for other hospitals certified 
by VWS. However, such hospitals should be explicitly defined at encryption time. Therefore, doctors and 
first-aiders of hospitals which join the EHR infrastructure afterwards cannot access the record, unless it is re- 
encrypted. In the next sections we present a solution that enables dynamic changes in the structure of virtual 
organizations, without the need of re-encrypting information. The proposed scheme allows an encryptor to 
restrict the access to a resource both to the users of specific institutions (e.g., gp2$ doctors) and to the users 
of a "generic" institution (e.g., any hospital doctor). In addition, it guarantees that domain authorities can 
only issue keys corresponding to the attributes that they are entitled to certify. 

4 Dynamic HABE: Building Blocks 

The dynamic HABE scheme presented in Section[5]is based on pairings over bilinear groups of prime order. 
In this section we give preliminaries on bilinear groups and introduce the concept of access tree. 

4.1 Bilinear Groups 

Let Go and Gi be two multiplicative cyclic groups of prime order p, g be a generator of Go, and Z p be 
the additive group associated with the integers from set {0, . . . ,p — 1}. A pairing (or bilinear map) e : 
Go x Go — > Gi satisfies the following properties [5|: 

1. Bilinear: for all u, v £ Go and a, b £ Z p , we have e(u a , v b ) — e(u, v) ab . 

2. Non-degenerate: e(g,g) ^ 1. 

The map also satisfies symmetry property, i.e., e(g a , g b ) = e(g, g) ab = e(g b , g a ). Go is said to be a bilinear 
group if the group operation in Go and the bilinear map e : Go x Go — > Gi can be computed efficiently. 

4.2 Access tree 

An access tree is a representation of an access control policy used for the encryption of a data object; it 
defines the set of attributes that a user must possess to be able to decrypt a ciphertext. Let r be an access tree 
over the attribute set ui representing an access control policy. A leaf node K in r corresponds to an attribute 
in ui. A non-leaf node k in r represents a threshold gate, described by its child nodes and a threshold value. 
If nurrik is the number of children of a node k and Tk is its threshold value, then < Tf. < nura^. If 



5 



Tfc = 1, then k is an OR gate; if it is = num%, then k is an AND gate. For leaf nodes, Tjc — 1. Figure[2] 
illustrates the access tree corresponding to the example access control policy in Section [3] 

Function att(K) returns the attribute associated with a leaf node K in r. Moreover, the parent of a node 
z in the access tree is denoted by parent(z). We also define an ordering between the children of a certain 
node in r: the children nodes are numbered from 1 to num; index(z) returns the order value associated with 
a child node z. 

5 Construction of the D-HABE Scheme 

In this section we present our D-HABE scheme. Before providing the formal definition of the scheme, we 
outline its main idea. The root authority is assumed to be a trusted party that runs a setup algorithm in order 
to generate public parameters and a master secret key. Using these parameters and the master key, the root 
authority also generates secret keys for domain authorities. The level of a domain authority determines the 
number of parameters used to create its secret key. The secret key of a domain authority also contains the 
attributes for which the domain authority is entitled to issue secret keys. A domain authority generates secret 
keys for its users. Each user in a hierarchy is associated with an attribute set. Therefore, the secret key of a 
user relates to both the user's attributes and her level in the hierarchy. 

An encryptor encrypts messages for users at a certain level in the hierarchy based on an access tree. 
The access tree is created from the policy by distributing a random secret parameter over the tree nodes that 
represent the attributes, using Shamir secret sharing. A user will only be able to reconstruct this parameter 
and thus satisfy the access control policy if she possesses the required attributes. Thus, a user will only be 
able to decrypt the ciphertext if her secret key corresponds to the correct level in the hierarchy and to the 
right attributes. 

Note that our construction allows new domain authorities and users to join the hierarchy without any 
need to re-encrypt existing information, since the ciphertext is bound to a level in the hierarchy and a set of 
attributes, and not to a specific domain authority, user or secret key. This property is referred to as dynamic 
property of our HABE scheme. In addition, the proposed scheme can also be used to bind ciphertext to a 
specific domain authority if required, as shown in Figure [2] (gp 2 attribute). 

We can now formally introduce the D-HABE scheme. Let e : Go x Go — > Gj denote the bilinear map 
defined in Section |4~T| A security parameter A determines the size of the groups. We define the Lagrange 
coefficient A v ^(k) — Yiv'eQ v'jtv v^v?' f° r K i " £ ^ p and £1 being a set of elements from 1 V . Let H : 
{0, 1}* — > Go be a collision resistant hash function, where {0, 1}* denotes a binary sequence of an arbitrary 
length. The function H(-) is a mapping of an attribute, described as a binary string, to a random group 
element in Go- In the following we describe the algorithms constituting the D-HABE scheme. 

Setup(A, L) This algorithm is run by the root authority to generate the system parameters for a hierarchy 
of depth L. We assume that at the first level of the hierarchy there are W domains^] The algorithm selects 
a random generator g G Go and a, (3 G Z p , and sets g\ = g a , g 2 = g 13 , and A = e(g, g) a ~^ ■ In addition, 
it picks random elements g3 i hi,ha t ... ) ht € Go and 7£, y\, y 2 , . . . , € 7L V . The public and secret 
parameters are composed of the following components: 

PK = (g,g 3 ,h 1 ,h 2 ,...,h L ,A) 
MK = (g 1 ,g 2 ,1l,B = {yi,y2,...,yi5f}). 

Key Generation(MZf, PK) This algorithm is run by the root authority to generate a secret key for a 
domain authority at level i (1 < i < L) using the master secret key MK and public parameters PK. It picks a 
random value r e Z p , E B and a (random) value y^ G Z p that are unique for each domain authority and 

1 Note that \t is not fixed during the lifetime of the virtual organization. 
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generates a key for this domain authority at level i: 

SK { = (g a ■ (g 3 ■ n) =1 ^) >9 r ,K +1 , ■ ■ ■ , h r L , gf>-*v*-v*, g v*+v* , Vj G ft adm : gKv*+v*H(j)y* + »+) 

where Ct a dm represents the set of attributes for which a domain authority is eligible to issue secret key. Here 
Utf, = if i = 1, otherwise this is just a randomly picked number. 

A domain authority can use its secret key to generate secret keys for domain authorities beneath its level. 
In particular, the private key SKi for a domain authority at level i (1 < i < L) can be generated in the 
incremental fashion given the private key for a parent node in the hierarchy. Let SK^x be the secret key of 
this parent node: 

= (a , oi, h, b L , Co , Cl ,vj g K d m ■ g'*** + y*'H(j)y* + y*'). 

To generate SK it the domain authority corresponding to the parent node picks randomly r" G Z p and 
y^n G Z p and outputs 

SKi = (a ■ bi ■ (g 3 ■ J| ;=1 ^^ , «i • 9 r " , h+i ■ K^, . . . , b L ■ h^', c , ci * .g~ y *" , 
Vj e : {S^H^*) ■ (gy*"H(jf)). 

The resulting private key S'/Tj is perfectly distributed for r = r' + r" and <j> = <f)' + (j>" . 

Attribute Key Generation (SKi, PK, uj) This algorithm is run by a domain authority at level i (1 < i < 
L) to generate secret keys for its users with an attribute set oj. First, the algorithm selects a random value 
x G Z p for each user. The secret key for each user is then formed as 

SK iju = (g a ■ (g 3 ■ ni =1 h ') ,g r ,g^ n y^ x -y*, 

Vj G u C n adm : Dj = g*v*+*+v*H{jy**'*,D> = g v * +y *) . 

Encryption (PX, M, r, i) This algorithm encrypts a message M G Gi under the access control policy 
specified by an access tree r for users at level i. The resulting ciphertext CT can only be decrypted by users 
at level i whose attribute set u> satisfies the access tree r. Conceptually, CT consists of three components: 1) 
the encrypted message, 2) a level i in the hierarchy, and 3) a set of attributes uj. 

In order to encrypt the message according to the access tree r, the encryption algorithm first selects a 
random value s G Z p and uses Shamir's secret sharing to share this value among the leaf nodes of r. In order 
to do it, the algorithm chooses a polynomial q z (-) for each node z in r in a top-down manner, starting from 
the root node R. More precisely, first, for each node z in the tree, it sets the degree d z of the polynomial 
g^(-) to be one less than the threshold value T z of that node, i.e., d z — T z — 1. Then, starting with the root 
node R, the algorithm sets <7h(0) = s and selects at random cLr other points of the polynomial qn(-) in order 
to define the polynomial completely. For any other node z, the algorithm sets q z (0) — q parent ^ z - ) (index(z)) 
and selects the rest d z points randomly to completely define q z (-). Then, the ciphertext CT is composed as 
follows: 

CT = (M.A s , 3 s ,^ 3 -ni =1 ^) yK,KeT:C aU(K) ^ 9 ^\C' att{K) ^H(att(K)f K{a) ) 
= (c,C , C\,MK, K G t : C a tt{K),C' att ^ K ^j . 
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Decryption (CT, SKi :U] ) The decryption algorithm consists of two steps: the first step verifies whether a 
user's attribute set uj satisfies r, and the second step corresponds to the message recovery. The decryption 
algorithm uses the recursive algorithm DecryptNode(CT, SKk yU ,z) to perform the first step. We define 
this algorithm first for (a) leaf nodes K and then for (b) internal nodes k of r. 

(a) DecryptN ode(CT, SK itU ,K): Note that each leaf node is associated with a real-valued attribute. Let 
j = att(K). Now, if j e uj then 



DecryptN ode{CT, SK iiU ,K) 



e{D 3 ,C 3 ) 

e{ g y*+y*,H{jf K(Q) ) 

= e{g,g)^ Ryi ' +x+V4 '" ,qK ^\ 
If j ^ uj, then DecryptN ode(CT 1 SKi tU1 , K) =_L, where _L denotes failure. 

(b) DecryptN ode(CT 7 SKi >u ,k): For all nodes z that are children of k, the algorithm calls DecryptNode(CT, SK itUJ , z). 
Its output stored as F z is used to determine whether the user has enough attributes to satisfy the policy. 
Note that to satisfy the policy, there should be enough points (i.e., satisfied child nodes) to reconstruct 
the polynomial in node k and thus qk(0). Let Clk be an arbitrary T^-sized set of child nodes z such that 
F z t^_L, Vz e fl k . If there exists no such a set, then node k is not satisfied and the function returns _L. 
Otherwise, using polynomial interpolation, the algorithm evaluates the following function: 

^ k = IT F^ v '" k ^°\ where v — index(z) 

. A„,n fc (0) 



II (e(g,g)^ +x+ y»>^y 
TT (^e(g , g)( Ky ^ +x+y ^' q >' ar '"' (z ^ index ( z ^ Av, " k ^ 

n ( e (f ' g) {nv ^ +x+y -* yqk(v) ^ Av, " k (o) 



= e(g,g)^ Rvi,+x+V4 ' yqk{ - \ 

To decrypt the ciphertext CT, the decryption algorithm first checks if the user satisfies the access control 
policy. This is done by evaluating the DecryptN ode(-) function on the root node R of the access tree 
r. If DecryptN ode(CT, SKi yUJ , R) returns _L, then r is not satisfied by the attribute set uj of the key 
SKi tU . In this case, decryption is impossible and the function returns _L. Otherwise r is satisfied, and 
the decryption algorithm performs the following steps. First, it computes 

= DecryptNode{CT,SK i!U ,R) 
= e{g,g)^ ny * +x+v * s>qR ^ 
= e (9i g) < - Ky <* +x+v ^ s 



and 

Z (2) = 



e 



f3s 
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The following intermediate step is then used to compute Z^\ Note that the correct value of can 
only be recovered by users at the right level in the hierarchy. 



e (g s ,g a ■ [93 ■ Ul=i h i 

e (a r , (93 ■ n!=i^) ) 
e(g,g) as . 



In the final step, we use Z^> and Z^ to recover the message M (assuming the user's key satisfied r 
and corresponds to the right level of hierarchy, otherwise the decryption algorithm returns _L): 

Z^ e(a a)? 8 

= M-e(g,g)^-^-e(g,g)-^ s 
= M. 



6 Security Proof 

6.1 Security Model for D-HABE 

In this section we define the security game for D-HABE between an adversary A and a challenger C. Later 
in the text we refer to this game as the D-HABE security game. 

Setup: The challenger C runs the Setup algorithm and gives adversary A the public parameters, while keep- 
ing the master secret key to itself. 

Phase 1: A performs a polynomially bounded number of queries of the following types: 

• Type 1: A asks for a user secret key from a domain authority at level i for attribute set u>i, oj 2 , • • • , ojq. 
The challenger returns secret keys SKj iU , V7 € {1, 2, • • • , Q} to A. 

• Type 2: A asks for a user secret key from a domain authority at level i,i =^ i, for attribute set 
ljx, ui2, • • " j uq. The challenger returns SKj u , V7 G {1, 2, • • • , Q} to A 

Challenge: In this phase the adversary A submits two equal length plaintexts M and Mi from a message 
space, on which A wants to be challenged. Moreover, A also gives the challenger an access structure A* 
such that the queried secret keys from Phase 1 do not satisfy A*. The access structure encompasses both 
part of the hierarchy up to a certain level and the access tree r over u>. The challenger flips a random coin 
b € {0, 1} and returns the encryption of Mj under A* to the adversary A. 

Phase 2: Repeat Phase 1 querying for the secret keys that do not satisfy A* and that have not already been 
queried for in Phase 1 . 

Guess: In this phase, A outputs a guess b €{0,1} and wins if b = b. The advantage of the adversary in 
attacking the scheme is \Pr\b = b] — \ \. 

Definition 1 A D-HABE scheme is secure if all polynomial time adversaries have at most negligible advan- 
tage in the D-HABE security game. 

6.2 Security Proof for D-HABE in Generic Group Model 

The security of the D-HABE scheme can be proved using arguments similar to those in Il22l l4ll2l. We use 
the generic group model and the random oracle model to argue that there is no efficient adversary who can 
break the security of our scheme with non-negligible probability if the adversary acts generically on the 
groups used in our scheme. This means that, if there are any vulnerabilities in the scheme, then they are 
due to specific mathematical properties of elliptic curve groups or cryptographic hash functions used in our 
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(a) 


doctor @ VWS — > GP practice — gp2 


(b) 


doctor @ VWS -> hospital — * A 




treating-doctor @ VWS — > hospital = * 


(c) 


doctor @ VWS -> c/2'm'c = * A 




treating-doctor @ VWS — > clinic = * 


(d) 


first-aider @ VWS — > hospital = * 



Figure 3: Attribute Certification Chains Derived from the Example Policy 



constructions. In the generic group model, group elements are encoded into unique random strings, in such a 
way that the adversary A can manipulate group elements using canonical group operations in Go and G% and 
cannot test any property other than equality. The following theorem gives a lower bound on the advantage of 
a generic adversary A in breaking our scheme. 

Theorem 1 Let q be an upper bound on the total number of group elements that an adversary A can receive 
from queries she makes to the challenger C for elements from the hash function H(-), groups Go, Gi, bilinear 
map e(-, •), and from his interaction in the D-HABE security game. The advantage of the adversary in the 
security game is O (g 2 /p). 

The proof of Theorem[T]is presented in Appendix [A] 

7 Augmenting D-HABE with Attribute Key Management 

The access trees used by the proposed D-HABE scheme to protect the resources exchanged in a virtual 
organization are determined by the resources' access control policies. In the next two subsections we address 
the issues of (a) how to derive the access tree corresponding to an access control policy (Section |7T| , and (b) 



how to determine which user is entitled to receive which attribute key (Section 7.2 1. Then, we discuss how 



to integrate these solutions with the proposed D-HABE scheme (Section 7.3 I. 



7.1 From Access Control Policies to Access Trees 

Existing (H)ABE schemes implicitly assume access control policies to be specified in the format required 
to encrypt information (e.g., access trees). The access control frameworks for distributed systems proposed 
in the literature (e.g., |fl6l [Tl), however, employ policies specified in logic programming-based languages. 
Here, we show how to translate such access control policies into the corresponding access trees. 

Conceptually, the translation of the access control policy protecting a data object o into the access tree of 
o is performed in two steps: 

1. The rules in the access control policy are transformed into (conjunctions of) attribute certification 
chains. An attribute certification chain consists of an attribute that the user needs to possess to access 
o, followed by a sequence of domain authorities (and domain authority classes) that denotes a path in 
the hierarchy of a virtual organization. 

2. The attributes identified in step 1 are combined into a logical formula reflecting the original access 
control policy. The formula represents the access tree of o. 

Next, we first explain these two steps using the example policy from Section|3] and then we provide a formal 
definition of the translation process. 

The example policy in Section[3]can be seen as the disjunction of four rules, denoted by (a), (b), (c), and 
(d). The first step of the translation process requires transforming each rule into a (conjunction of) attribute 



10 



certification chain. The (conjunctions of) attribute certification chains of rules (a), (b), (c), and (d) are shown 
in Fig. [3] where hospital = * and clinic = * denote respectively any hospital and any clinic in the EHR 
infrastructure. Then, step 2 transforms the attribute certification chains into the formula "(gp2 A doctor) V 
(hospital A doctor A treating doctor) V (clinic A doctor A treating doctor) V (hospital A first-aider)", which 
corresponds to the access tree presented in Fig. [2] 

Before formalizing the translation process, we present a formalization of access control policies. An 
access control policy is a set of rules of the form 

canRead(L/,0) <- 

certifies(iL4Ai,-ZMj j), . . . , certifies(ZM Jnj ,A X ,U), 

certi&es(RA,C m i,DA m i), certifies(ZM mn , m ,^4 m ,Z7) 

where U can be a specific user or a variable representing any user satisfying the policy conditions, O is the 
data object that the access control policy protects, each A\ , . . . , A m are attributes, each Cip (with 1 < £ < m 
and 1 < p < ng) is a domain authority class (e.g., hospital, clinic), RA is the root authority and DAgp is a 
domain authority or a variable representing any domain authority of class Cip. Intuitively, a rule states that 
a user U can read object O if he has attributes A\, . . . , A m ; each attribute At is derived from a certification 
chain involving domain authorities RA, DAn , . . . , DAg ne of class Ct\ , Ct ni . Since we are dealing with 
hierarchical domains, the first domain authority RA is always the root authority (e.g., VWS in our scenario). 

According to the formalization above, rule (a) in the example access control policy in Section[3]is repre- 
sented as 

canRead(X JohnsEHR) <— certifles( VWS ,GP-practice,gp 2 ), ctrtihts(gp2,doctor,X) 

rule (b) as 

canRead(X, JohnsEHR) <- 

certifles( VWS ,hospital,Y), certifies(Y , doctor, X), 
certifles( VWS ,hospital,Y), certifles(Y ,treating-doctor,X) 

etc., where X and Y are variables. Within a rule, the use of the same variable denotes values that have to 
match. 

We are now ready to formalize the translation from access control policies to access trees. The two steps 
of the translation process are defined as follows: 

1. Let AR = {ARi, . . . , AR n } be the set of rules protecting a data object O. From AR a we derive the 
corresponding set of (conjunctions of) attribute certification chains ACC = {ACC\, . . . , ACC n } as 
follows. Let AR e (1 < I < n) be 

canRead([/,0) <- Ai<p< m (certi&es(RA,Cpi,DApi), ...,certi&es(DA pn .,A P ,U^J 
Then, ACCg is 

f\ (a p @RA -> Cpi = DA pi -> ► Cp np = DApn^j 

l<p<m 

2. Given the set of attribute certification chains {ACC\ , . . . , ACC n }, the D-HABE access tree HAT a of 
O is constructed as follows: 

\/ (T lni A A! A ... A T mnm A A m ) 
i<e<n 

where Tp, H (with 1 < p < m) is Cp ni if DAp ni> is *, and Tp, H is DAp rii if £>^p rljj is a domain 
authority. 
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Notice that the attributes appearing in an access control policy and in the corresponding access tree must 
be elements of the set of attributes included in the public parameter PK of the D-HABE scheme. 

7.2 Issuing Attribute Keys 

This section presents an attribute key management scheme that relies on trust management techniques (3j|7j 
for determining the attribute decryption keys that a user is entitled to receive. Trust management is an ap- 
proach to attribute-based access control in distributed systems. A trust management policy specifies in which 
conditions a domain authority certifies that a given user or domain authority has a certain attribute, where 
policy conditions are in turn represented in terms of attributes certified by (possibly different) domain au- 
thorities. Notice that in trust management the distinction between users and domain authorities is partially 
blurred, as both are characterized in terms of attributes, even though only domain authorities certify those at- 
tributes. Formally, the trust management policy of a domain authority DA consists of a set of rules of the form 

certifies (DA, A, E) <- certifies(ZM t , A 1 ,E 1 ), . . ., certifies (DA n , A n , E n ) 

where DA, DAn (with 1 < I < n) are domain authorities, E, E( are users or domain authorities, and each 
Ai is an attribute. Policy rules may also have an empty conditions set (i.e., n = 0, in which case the keyword 
if is omitted); we refer to these rules as credentials. The following are examples of policy rules and creden- 
tials defined by hospital hi and the hospital's cardiology department (for the sake of simplicity, the hospital 
departments are omitted in the hierarchy in Fig.[T|: 

certifies (hi, doctor, X) <— certifies (hi, department, Y), certifies(F, doctor, X) 
certifies (hi, department, cardiology) 
certifies (cardiology, doctor, Alice) 

Intuitively, the first rule states that hi certifies as doctor any doctor working in its departments. Rules 2 and 3 
state respectively that cardiology is a department of hospital hi, and that Alice is a doctor working in that 
department. 

The problem of determining which user is entitled to which attribute keys can thus be reduced to the 
problem of determining which credentials can be derived from the trust management policy of the domain 
authorities in a virtual organization. Credential chain discovery algorithms |[T6l [T) provide a solution to 
this problem. Given a query q of the form certifies(ZM, A, E)l and a set of trust management policy rules 
TMR, credential chain discovery algorithms compute the answers of q that satisfy TMR. For instance, 
given the policy rules above, the answer returned by a credential chain discovery algorithm to the query 
certifies(/i,l, doctor, X)? would be certifies ( h 1, doctor, Alice). Domain authorities can therefore rely on cre- 
dential chain discovery algorithms to derive the set of attributes that the users within their institution possess, 
and release the corresponding attribute keys. 

7.3 Unified Scheme 

The proposed key management scheme can be easily integrated with the D-HABE scheme introduced in Sec- 
tion|5]to form a complete framework for the enforcement of access control policies in virtual organizations. 
The integration of the two schemes can be done in the following three steps: 

1. Setup of the D-HABE infrastructure: the root authority of the virtual organization initiates the D- 
HABE scheme by running the setup algorithm and releasing the secret keys to the domain authorities 
at level 1 of the hierarchy. Then, in turn, each domain authority releases a secret key to the domain 
authorities beneath its level. In the example virtual organization introduced in Section[3] the hierarchy 
has only two levels; thus, the domain authorities at level 1 (i.e., hospitals, GP practices, clinics, and 
pharmacies) do not release any further secret key. 

2. Translating access control policies into attribute trees: the access control policies protecting the data 
objects that need to be exchanged in the virtual organization are translated into the corresponding 
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attribute trees. Each user or institution can perform this process independently on the access control 
policies of the local objects. As mentioned in Section [TT] the attributes appearing in access trees must 
be a subset of the attributes included in the public parameter PK of the D-HABE scheme. 

3. Issuing the attribute keys: each domain authority runs the credential chain discovery algorithm to 
determine the attributes of its users. The domain authority then issues the attribute keys of its users 
accordingly, using the attribute key generation algorithm of the D-HABE scheme. 

Note that step 2 is independent from steps 1 and 3, and can thus be executed in parallel or even after the 
other steps. Conversely, step 3 must be executed after step 1, since the attribute key generation algorithm 
depends on the setup and key generation algorithms of the D-HABE scheme. Once these three steps are 
executed, the users and institutions in the virtual organization can start sharing and exchanging information 
(encrypted with the corresponding access control tree) with the guarantee that only authorized users can 
access it. 

8 Conclusions and Future Work 

This paper presents a solution to the problem of distributed policy enforcement in virtual organizations. 
In particular, it presents a new dynamic HABE (D-HABE) scheme that addresses the dynamics of these 
collaborations. Furthermore, the paper makes an important link between attribute-based encryption schemes 
and trust management, which is proposed as a mean of determining the attribute keys to be issued in a virtual 
organization. 

The work presented in this paper suggests some interesting directions for future research. First of all, 
the proposed scheme does not address the problem of accountability for key disclosure. More precisely, 
a domain authority may create another domain authority at the same level in the hierarchy through the re- 
randomization of its secret key. In addition, a user may disclose her keys (e.g., by publishing them on the 
Internet) without fear of being caught as there is no linkability established between the key and the user. We 
are working on improving the scheme to address this problem. In addition, we plan to provide the security 
proof of the proposed scheme in the standard model where the problem of breaking the scheme is reduced to 
a well-studied complexity-theoretic problem. 
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A Proof of Theorem 3] 

Before presenting the actual proof, we introduce some functions and notations used in the simulation of 



the security game defined in Section 6.1 We define two random encodings £oj£i on additive group Z p , 
such that £o,£i : — > {0,1}^ are injective maps, where p > 3 • log(p). For v = 0,1, we write 
G„ = {£</(p) : p £ We use £o(/o) to represent g p £ Go and^i(p) to represent e(g, g) p £ Gi. The chal- 
lenger C is given two oracles to compute group operations on Go, Gi, an oracle to compute a non-degenerate 
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Table 1: (Useful) Feasible queries of the adversary 
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bilinear map e : Go x Go -> Gi, and a random oracle that represents the hash function H : {0, 1}* — > Go- 

Proof. Similar to 0, we bind the advantage of A in a modified security game. In the D-HABE security 
game, the ciphertext given by the challenger C contains a message-related component, which is either C = 
Mo-e{g, gY a ~^ s or C = Mi -e(g, gp a ~^' s , where the choice is made uniformly at random. In the modified 
security game, C will return either C = e(g, g)( a ~^ s or C = e(g : g) e , where 9 is selected uniformly at 
random from Z p , and A has to determine which is the case. Note that these two games are equivalent. Below 
we show that there is no adversary A that has a non-negligible advantage in the modified security game and 
therefore in the original security game defined in Section [6TT| 

Simulation of the D-HABE security game First we define all the feasible queries and corresponding out- 
puts that A may have performing in the simulation of the D-HABE security game. A receives the following 
encodings from his interactions with C in the D-HABE security game. 

1. Components generated by algorithm Setup in the Setup phase of the security game include: £o(l) — > 
g, £ {a) -> gi = g a , .92 = /, 60(77*) ~> h = 9 m , 6a(*) .93 = g\ 6ofe) -> 
H(j ) = g*' , 6 (« - 0) A = e(g, g) . 

Note that only public parameters are sent to A 

2. Components generated by Attribute Key Generation for an attribute set uj 1 associated with level i in 
hierarchy in Phase 1 and Phase 2 of the security game include: 

' £o(rt) • UrEUiVi) ~+ a Q = ^+^+£^0 , ?o(r) ^ ai = g r ; ^ _ Uy9 _ x _ 

3. Components generated by algorithm Encryption in the Challenge phase of the security game in- 
elude: 6(0) -► C = e( g , ff ) e ft ((a - -> C* = e(g,g)^>, -► <% = ,g s , ■ 
eo(*E|=i'ft) <?i = ff'( t+ £i=i'»), 6o(^) -► Ci = ff *^,Vj G r*, -> C$ = S ,J ,Vj G 

T*. 

Here Sj represents the shares of s e Z p corresponding to all relevant attributes j G r*, and r* is 
the access tree being a part of A*. The shares Sj are selected from Z p uniformly at random and 
independently of each other, subject to the conditions imposed by Shamir secret sharing scheme. 

It should be noted that if A queries for a secret key that satisfies the challenge access structure A* then C 
will not issue the key. Moreover, if A wants to be challenged on an access structure for which A already has 
a key that satisfies the access structure A*, C will abort the simulation and provide a random guess on behalf 
of A. The adversary can use the group elements received from the interaction with the challenger to perform 
generic group operations and equality tests on {a, j3, t, r, x, 1Z, j/*, y^, Sj,tj,r]i}, where each variable is an 
element from Z p picked at random in our scheme. Queries that A can perform include: 

• Queries to the oracles for group operations in Go and Gi. When A asks for multiplication or division 
of group elements represented by their random encodings, the oracles returns the summation or sub- 
traction respectively in the additive or multiplicative cyclic groups depending on the encoding of the 
group element. 
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• Queries to the oracle for computing pairing operation e(-, •). When A asks for pairing of group el- 
ements represented with their random encoding, the oracle returns the multiplication of the group 
elements in the multiplicative cyclic groups. This is equivalent to the pairing of the group elements. 

Next we will show that, using the results of the above simulation, A cannot distinguish with non- 
negligible advantage whether the challenge ciphertext C is e(g, g) e or e(g, g)^ - ' 3 ^. 

Adversary's advantage First we show the adversary's view when the challenge ciphertext is Fol- 
lowing the standard approach to the security in the generic group model, the view of A can change when 
an unexpected collision happens due to random choice of variables {a, 0, t, r, x, 1Z, y^^y^, Sj , tj ,r/i}. A 
collision happens when two queries evaluate to the same value. However, for any two distinct queries the 
probability of such collision to happen is at most 0(q 2 /p). For p sufficiently large, this probability is negli- 
gible; therefore, we may ignore this case. 

Now, consider the situation in which the challenge ciphertext is £i((a — f3)s). The adversary's view can 
change if she can construct a polynomial of form (a — j3)s. Next, we show that the adversary A cannot 
make polynomial queries such that their linear combination results into a polynomial of form (a — f3)s, 
and therefore the collision cannot happen. In Table [T] we summarize the feasible queries in G\ that can be 
constructed using the group elements received from the simulation of the security game. Note that we focus 
on the queries that could help A to construct the query of the form (a — 0)s. The adversary A can create a 
polynomial containing the term (a — (3)s by using the result in cells (3, 6) and (2, 3) from Table[T] 

i 

jsa + rst^ + sr rg + (is — s(TZy^ + x + y$) (1) 

c 

Observe that the polynomial in ([T| also contains terms B, C and E, hence these terms need to be canceled 
to construct the polynomial of the form (a — j3)s. In the following we perform a case-based analysis of the 
strategies that A could deploy in order to cancel terms B, C and E. In the analysis we exploit the fact that 
A can never use the secret keys that satisfy A*. In order to satisfy A*, keys should correspond to the right 
level i of the hierarchy and satisfy r*. As a result, we identify the following two cases. 

Case 1 In this case the adversary A uses the output obtained from Type 1 queries of the D-HABE security 



game defined in Section 6.1 In this case the secret keys obtained from the queries correspond to the 
level i of the hierarchy (i.e., user belong to the right level) but do not satisfy r* (i.e., does not possess 
the required attributes). 

We concentrate on feasible strategies of the adversary to cancel terms B, C and E in ([T}. Observe that 
in order to cancel terms B and C, A can pair the results of the queries from cells (1,4) and (3,1) in 

TablejTjand construct a polynomial of the form (—rst — sr J2i=i VlJ ■ 

Note that A can cancel term E only if he has secret keys that satisfy r*, which contradicts the assump- 
tions of Case 1. From the Table 1 we see that A has access to + and (TZy^, + x + y^) + 

(tj +?4, 7 ^)' so ne can tr y t0 combine them with terms Sj and Sjtj in order to construct 
(TZyq, + x + y^) s. However, according to the security definition, A should not have at least one 
component of the secret key related to the ciphertext created using t* . This means that there must be 
a least one share (IZy^ + x + y^) Sj to which A does not have access. Therefore, A would not be 
able to construct (TZy^ + x + y$) s, which follows from the properties of Shamir secret sharing. As 
a result, A would not be able to cancel term E and thus A cannot construct a polynomial of the from 
(a — j3)s using the strategy of Case 1. 

Case 2 In this case the adversary A uses the output obtained from Type 2 queries of the D-HABE security 
game defined in Section [6TT| In this case the secret keys obtained from the queries do not correspond 
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to the level i of the hierarchy (i.e., user does not belong to the right level) but satisfies r* (i.e., user 
possesses the required attributes). 

We assume that A can only use secret keys that correspond to level i in the hierarchy, where i ^ i 
and for which the challenge ciphertext is created. These keys, however, satisfy t* being part of A*. 
This assumption is in line with the security definition that states that A must not have access to the 
secret keys satisfying the challenge access structure A*. To differentiate between the secret keys 
corresponding to levels i and i, we use notation f and r, respectively. 

Note that in this case A can cancel term E, since she has access to the secret components required 
to satisfy access tree r*. To cancel terms B and C, A can pair the queries corresponding to cells 

(3, 7), (4, 1) and (4,4) from Table jlj and construct a polynomial of the form (^sft — sfjy i=1 rji^j. 
However to cancel terms B and C, A need access to rs. However, this contradicts the D-HABE 
security model. Thus, we may conclude that using strategy of Case 2, the adversary is not able to 
construct a polynomial of the from (a — j3)s. 

Therefore, we conclude the A cannot make polynomial queries resulting in a polynomial of the form 
(a — (3)s. This proves that there is no generic adversary A that could break the proposed D-HABE scheme 
with non-negligible advantage. 



17 



